Home / malwarePDF  

Win32.Anset.A@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Anset.A@mm is also known as I-worm.Anset.b.

Explanation :

This virus is an Internet Worm which spreads through e-mail and working under Windows platforms. The infected e-mail has the following format:

Subject:ANTS Version 3.0
Body:

Hi,

Anhängend die neue Version 3.0 von ANTS, dem bislang einzigartigen
kostenlosen Trojanerscanner. Zum installieren einfach die angefügte Datei
ausführen.

Attached you will find the brand new Version 3.0 of ANTS, the unique
freeware trojan scanner. To install ANTS simply run the attached setup file.

Adieu, Andreas
webmaster@avnetwork.de
http://www.ants-online.de


Attachment:ants3set.exe file

When the user executes the attachment, the virus installs in the system by copying itself in the Windows directory under a random name.

It creates a random-named key in:
HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce
with the value pointing to the copied virus file.

Once installed, the worm starts its spreading routine. The virus creates a list of e-mails from Outlook's Address Book and from all the files in drive C: with the extension one of:

.php
.htm
.shtm
.cgi
.pl


where it looks for the string mailto:. Also it reads the Internet Cache and History folders from Internet Explorer settings and searches for e-mails stored in the files contained in that folders.

The virus has a list of SMTP (Simple Mail Transfer Protocol) servers where it adds the SMTP servers from user's Internet accounts (if any). The list contains the following SMTP addresses:

200.52.69.2
200.52.69.9
193.92.94.226
12.34.208.35
195.229.189.2
toad.com
196.40.0.82
196.40.0.90


To send the e-mails it creates a copy of its file in the root of C: drive with the name ants3set.exe which will be attached to the e-mails and sends directly to a SMTP server (from its list) the infected e-mails. This method is pretty undetectable by the user and also is independent from user's mail settings or programs.

Even if the user doesn't have an mail account, a simply connection to Internet will allow this worm to spread.

Last update 21 November 2011

 

TOP

Malware :